django http://cgit.adnoto.dev/django.git/atom?h=stable%2F6.0.x 2026-02-03T13:05:34Z 2026-02-03T13:05:34Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T23:00:13Z urn:sha1:259dff061a9ea85f061ff71c0adb0e07ead693d3 This prevents failures at the database layer, given that aliases in the ON clause are not quoted. Systematically quoting aliases even in FilteredRelation is tracked in https://code.djangoproject.com/ticket/36795. Backport of 005d60d97c4dfb117503bdb6f2facfcaf9315d84 from main. 2026-02-03T13:04:49Z Jacob Walls jacobtylerwalls@gmail.com 2026-01-21T22:53:52Z urn:sha1:15e70cb83e6f7a9a2a2f651f30b28b5cb20febeb Before, `order_by()` treated a period in a field name as a sign that it was requested via `.extra(order_by=...)` and thus should be passed through as raw table and column names, even if `extra()` was not used. Since periods are permitted in aliases, this meant user-controlled aliases could force the `order_by()` clause to resolve to a raw table and column pair instead of the actual target field for the alias. In practice, only `FilteredRelation` was affected, as the other expressions we tested, e.g. `F`, aggressively optimize away the ordering expressions into ordinal positions, e.g. ORDER BY 2, instead of ORDER BY "table".column. Thanks Solomon Kebede for the report, and Simon Charette and Jake Howard for reviews. Backport of 69065ca869b0970dff8fdd8fafb390bf8b3bf222 from main. 2026-02-03T13:03:39Z Jake Howard git@theorangeone.net 2026-01-21T11:14:48Z urn:sha1:0c0f5c2178c01ada5410cd53b4b207bf7858b952 Control characters in FilteredRelation column aliases could be used for SQL injection attacks. This affected QuerySet.annotate(), aggregate(), extra(), values(), values_list(), and alias() when using dictionary expansion with **kwargs. Thanks Solomon Kebede for the report, and Simon Charette, Jacob Walls, and Natalia Bidart for reviews. Backport of e891a84c7ef9962bfcc3b4685690219542f86a22 from main. 2025-10-01T12:17:15Z Mariusz Felisiak felisiak.mariusz@gmail.com 2025-09-10T07:53:52Z urn:sha1:4ceaaee7e04b416fc465e838a6ef43ca0ccffafe Thanks sw0rd1ight for the report. Follow up to 93cae5cb2f9a4ef1514cf1a41f714fef08005200. Backport of 41b43c74bda19753c757036673ea9db74acf494a from main. 2025-09-23T01:52:21Z Ryan P Kilby kilbyr@gmail.com 2025-06-27T20:03:16Z urn:sha1:9575f813afe8f6d40b016cf302d6871f5d38517e ManyToManyField was already excluded from fields, concrete_fields, and local_concrete_fields in Options. Backport of f9a44cc0fac653f8e0c2ab1cdfb12b2cc5c63fc2 from main 2025-09-13T22:27:49Z Simon Charette charette.s@gmail.com 2025-03-19T05:11:34Z urn:sha1:55a0073b3beb9de8f7c1f7c44a7d0bc10126c841 This required implementing UPDATE RETURNING machinery that heavily borrows from the INSERT one. 2025-09-04T16:15:45Z Ryan P Kilby kilbyr@gmail.com 2025-06-26T05:54:50Z urn:sha1:bad03eb108b029dad70cbd997f1fef221da3e415 FieldError is now emitted for invalid update calls involving reverse relations, where previously they failed with AttributeError. 2025-09-03T11:10:58Z Jake Howard git@theorangeone.net 2025-08-13T12:13:42Z urn:sha1:51711717098d3f469f795dfa6bc3758b24f69ef7 Thanks Eyal Gabay (EyalSec) for the report. 2025-08-29T19:33:44Z SaJH wogur981208@gmail.com 2025-08-29T15:45:02Z urn:sha1:bb7a7701b1a0e8fffe14dcebf5d5bac7f176c02a Thanks Jacob Walls and Simon Charette for tests. Signed-off-by: SaJH <wogur981208@gmail.com> 2025-08-29T17:45:08Z Jacob Walls jacobtylerwalls@gmail.com 2025-08-26T12:54:34Z urn:sha1:2d453a2a683d73c64dc32286685eb40cbca7c425